All,
Forces beyond my control have
taken me on a little trip back in time to look at SAML 1.0 (I didn’t get
involved in this space until after SAML 1.1 was out so this has been an
interesting learning experience for me). I see that one of the
major differences between dot zero and dot one is changing the recommended
c14n method from canonical XML
(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) to exclusive canonical XML
(http://www.w3.org/2001/10/xml-exc-c14n#). I can
see why this change was made and, although I’ve not yet had the pleasure, I
can imagine that there were some interoperability problems when trying to use
the non-exclusive transform. My question is - how did SAML 1.0
implementations deal with this? Were they only able to interoperate when
signatures where applied to the response in the post profile? What is
the value of a signed assertion if the signature cannot be verified
independent of its original document context (I guess there isn’t one and
that’s why 1.1 made the change but did implementations try to work around it
somehow)? Did implementers end up just using exclusive in spite of the
spec recommendation?
I would appreciate any historical
perspective that can be provided by those of you that have been involved with
stuff longer than I.
Thanks,
Brian
By the way, the
sstc-saml-diff-1.1-draft-01
document has proven to be a very informative resource - I’d like to say thanks
to Prateek, Dipak, Jahan and Robert.